Skip to main content
Security

How Praxiko handles your data

Praxiko runs on regional cloud infrastructure with privacy-by-default settings. Today, all Praxiko data is hosted in Australia, in the Sydney region; as Praxiko opens new markets, each will get its own in-region data residency. The trust signals below are factual and mechanical — the practitioner interprets the data; Praxiko keeps the record.

Trust signals

Australian data residency

All practitioner and client data is stored in Supabase's Sydney region (ap-southeast-2). Data residency is locked at project creation — moving regions is not a configuration toggle. This aligns with Australian Privacy Act expectations for handling health information onshore.

HTTPS enforced at the TLD level

Praxiko runs on the .app top-level domain, which is on the HSTS preload list — every major browser refuses to connect over plain HTTP regardless of how a link is shared. There is no insecure path to Praxiko.

Encryption at rest and in transit

Database storage and managed object storage are encrypted at rest by default. All network traffic between client devices, Praxiko's edge, and the database is encrypted in transit over TLS.

Row-level access controls

Every table that touches user data is scoped at the database level by enterprise (clinic). Practitioners cannot read or write data outside the enterprise their hat belongs to, even if an application-layer bug attempted to. This is enforced by Postgres row-level security policies, not by application code alone.

Runs under your practice's name

Each practice's clients see their clinic, co-branded with Praxiko. Data is scoped and labelled to the clinic at the database level — one practice's records are never visible to another.

Authentication

Sign-in uses single-use one-time codes delivered by email. Sessions are validated server-side against Supabase Auth on every request — cookies alone are never trusted.

Stores and surfaces; doesn't interpret

Praxiko stores and surfaces clinical information. It doesn't score symptoms, generate treatment recommendations, or auto-flag check-in answers. The practitioner interprets; the software keeps the record. That line is deliberate — it keeps Praxiko on the right side of medical-device regulation, and it keeps the clinical judgement where it belongs. Australia is the current launch market; the AHPRA advertising guidelines shape what Praxiko publishes about regulated health services here, and equivalent regimes apply in other English-language jurisdictions.

Reporting a security issue

If you believe you've found a security vulnerability, email security@praxiko.app with details. Praxiko reviews reports promptly and will coordinate disclosure once a fix has shipped.